Contact us
Limited Time!
Totally FREE Web Design!
Click here!
Parasite: ASpam
This record last updated Tue Sep 20 2005 00:34:14
PLEASE NOTE: Due to the overwhelming extent of this problem and the unbelievable volume of email we have received, we regret that we cannot respond to questions about browser parasites at this time. If you have attempted to contact us about this parasite please accept our apology for not responding. "Thank you's" are always appreciated ;-)
Description
ASpam is remote access trojan implemented as an IE Browser Helper Object. It is not really Unsolicited Commercial Software as it has no known commercial aim, but it is included in the detection script at this site as it is a threat detectable from web pages.
Variants
ASpam/Amcis: installs the BHO under the filename AMCIS32.DLL, with object name Amcis32. ASpam/Drvman: the file and object name is DRVMAN32 instead and the classid is different.
Distribution
The installer ASPAM.EXE was attached to a mass-mailing purported to come from Microsoft (aspam@microsoft.com), offering an anti-spam feature for Outlook Express. The actual author is not currently known.
What it does
Advertising
No.
Privacy violation
No.
Security issues
Yes. Gives the attacker user-level access to the machine it is installed on.
Stability problems
No.
Removal
No uninstall feature, but many anti-virus tools target the ASpam trojan.
Manual removal
Open the registry (Start->Run->regedit) and delete the following keys. For variant Amcis:
HKEY_LOCAL_MACHINE\Software\Classes\AMCIS32.IEClass
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{657B9354-BB3B-4500-A9B0-109B4FA64815}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{657B9354-BB3B-4500-A9B0-109B4FA64815}
For variant Drvman:
HKEY_LOCAL_MACHINE\Software\Classes\DRVMAN32.IEClass
HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{499DB658-1909-420B-931A-4A8CAEFD232F}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{499DB658-1909-420B-931A-4A8CAEFD232F}
(Ignore the ‘DontDelete’ subkey in Browser Helper Objects.) Restart the computer and you should be able to delete the AMCIS32.DLL file in the System folder (to be found inside the Windows folder, ‘System’ under Windows 95/98/Me, ‘System32’ under Windows NT/2000/XP).
Links
- Symantec’s info on Amcis and Drvman.
- McAfee/AVERT’s info on the Amcis variant.
* Parasite information and detection script by Andrew Clover - www.doxdesk.com, used with permission.
For more information about Scumware, Spyware and Parasites, their sources and their cure, visit our About Parasites page and related Tech Links.
Visit our new services portal at Allen One for a completely new parasite database format, comming November 2005!
